GRCWatch
Sign inStart free trial

GDPR Article 36: Prior Consultation for High-Risk Data Processing

When a Data Protection Impact Assessment reveals high residual risk, GDPR Article 36 mandates you consult your supervisory authority before processing begins. This critical gating control prevents non-compliant deployments and protects your organization from regulatory action. Understanding when consultation is required—and how to execute it properly—is essential for any processing activity involving significant risk.

What this means

Article 36 establishes a mandatory prior consultation requirement triggered when your DPIA concludes that proposed processing would create high residual risk despite planned mitigation measures. Unlike optional risk assessments, this is a gate: you cannot lawfully proceed with the processing until the supervisory authority has been consulted and you've incorporated their guidance. The consultation obligation applies to processors acting on behalf of controllers, ensuring independent oversight before high-risk activities launch.

How to comply

  1. 1.Conduct a complete Data Protection Impact Assessment (DPIA) before any high-risk processing begins, documenting all envisaged operations, purposes, and legitimate interests.
  2. 2.Evaluate mitigation measures you plan to implement and assess whether residual risk remains 'high' after those controls are applied.
  3. 3.Identify your relevant supervisory authority (typically where your main establishment is located or where processing occurs).
  4. 4.Prepare a formal prior consultation request including your DPIA findings, identified residual risks, proposed mitigations, and any third-party impact assessments.
  5. 5.Submit the consultation request to the supervisory authority with sufficient time for review (typically 4–8 weeks depending on jurisdiction).
  6. 6.Document the supervisory authority's feedback, recommendations, and any conditions they impose before proceeding.
  7. 7.Implement all required changes and maintain evidence of consultation compliance in your accountability records.
  8. 8.Do not commence high-risk processing until written confirmation or clearance is received from the supervisory authority.

Evidence auditors look for

  • Completed Data Protection Impact Assessment clearly identifying high residual risk and the specific processing operations that trigger Article 36.
  • Written prior consultation request submitted to the supervisory authority with date of submission and reference number.
  • Supervisory authority's formal response letter, opinion, or written authorization confirming consultation completion and any required modifications.
  • Risk mitigation documentation showing measures implemented based on supervisory authority feedback.
  • Internal records demonstrating that processing did not commence until after consultation was completed and cleared.
  • Policy documentation defining the triggers for prior consultation and the internal escalation workflow for high-risk processing decisions.

Frequently asked questions

When will FAQs be available?

The FAQ for this control is currently being prepared.

GRCWatch automates DPIA documentation and risk assessment workflows, flagging Article 36 consultation triggers automatically so you never miss a prior consultation deadline or proceed with unvetted high-risk processing.

See how GRCWatch handles this control automatically

Start free trial

Related controls

GDPR Article 35 — Data Protection Impact Assessment (DPIA)GDPR Article 32 — Security of ProcessingGDPR Article 5 — Principles Relating to Processing